snaps icon indicating copy to clipboard operation
snaps copied to clipboard
verified publisher icon MetaMask

Missing permissions in @metamask/permissions-kernel-snap

Open oed opened this issue 8 months ago • 0 comments

This issue was uncovered as I was working on a submission for the https://www.hackquest.io/hackathons/MetaMask-Delegation-Toolkit-DTK-Dev-Cook-Off hackathon.

The project

I wanted to create a simple cli tool + webapp that allows you to delegate the ability to update your ENS contenthash from the command line securely. Design

Design was simple:

  1. create an account in the

  2. Copy the account address from (1) to the webapp and create a delegation with the following delegations to it:

    • 'allowed-targets': the resolver of the ENS domain

    • 'allowed-methods': 'setContenthash'

    • 'allowed-calldata': the ens name (first param of (2))

  3. Display delegation and allow user to copy it into the cli tool

  4. Cli tool can now at any time update the contenthash for the given ENS name, but can not change anything else about the ENS name

Uncovered issues

The main problem I discovered was that the 7715 implementation doesn't support the caveat enforces mentioned above. By analysing the '@metamask/permissions-kernel-snap' bundle code with Gemini it looks like only the following permissions are allowed:

native-token-stream

native-token-transfer

erc20-token-transfer

erc721-token-transfer

erc1155-token-transfer

Only using these permissions it seems impossible to achieve my goal.

oed avatar Apr 30 '25 11:04 oed